[Dshield] Are you using spf records?

Martin Forest martin at forest.gen.nz
Thu Jan 5 22:48:25 GMT 2006


I'm also a fan of SPF.
The more domains that start using SPF the better it will be.
With SPF, you will know if the email is from an "authentic" server. Sure,  
the domain may be a spam domain but this is where sender reputation comes  
in.
For example
1) If the email is from a non valid server i.e. SPF=fail (or possible even  
softfail), drop it.
1.b) If the email (SPF) is softfail, tag as spam.
2) If the email is from a white listed domain and SPF=pass, deliver.  
(White listing can be either a local white list with your customers etc  
and/or an external organization that list "well behaving domains" similar  
to rbl lists.)
3) If SPF is pass or none proceed with normal spam checking.

SMTP it a mess. Bad design, bad standards etc. Until we have an  
alternative mail protocol, we must use add on systems. In my opinion, we  
have hit the point where traditional spam tagging/filtering is no longer  
enough. With SPF and sender reputation (i.e. list good behaving domains)  
we can start look for/filter out the good email and tag the rest.
And yes, it will only work when everyone is using -All. But I don't see  
any problem with using ~All during a transition phase.

Cheers
Martin Forest



On Fri, 06 Jan 2006 08:57:54 +1300, Stasiniewicz, Adam <stasinia at msoe.edu>  
wrote:

> FUD ALARM!!
>
> Do you even have the slightest idea of how SPF works?  Actually read
> about it before saying something: http://www.openspf.org/howworks.html.
> I am not going to defend the technology; I just want to make ensure that
> people don't get the wrong idea for a couple of open ended, unsupported
> comments.
>
> 1. SPF has nothing to do with reporting spam.  It does not send any
> reports to anyone, nor does it rely on the need for an ISP to
> "investigate" any claims.
> 2. A lot of spam uses forged headers, so unless you carefully check the
> header, you can't be sure that it came from a real hotmail server.
> 3. SPF does one think, it stops email from originating from a source
> other than that authentic outgoing email server for a domain.  It knows
> which server are authentic outgoing email servers by using a DNS query
> for the specific SPF record (encapsulated in a TXT record).
>
> Now SPF is not without flaws.
>
> 1. If a domain does not publish SPF records, email from that domain can
> be forged.
> 2. If a domain uses a different "all" operator other than "-all" many
> filters will not do any filtering on the email.
> 3. There is nothing stopping a spammer from sending email from say
> "someone at abay.com" (note the first letter of domain).
> 4. Many organizations don't use SPF, so it will be ineffective for many
> emails.  But it can always be used with great success internally.
> 5. If a malicious user can gain relay to a server which SPF thinks is
> legit, then SPF won't help.
> 6. If a malicious user has his own domain, he can add SPF records for
> his spamming server, or simply not use SPF at all.
> 7. SPF is not an end all solution for fighting spam, it is just another
> method that can be used as part of an overall strategy in fighting spam.
>
> Please actually research what you are talking about before saying
> something.
>
> Regards,
> Adam Stasiniewicz
> Computer and Communication Services Department
> Milwaukee School of Engineering
> MSCE: Messaging & Security 2003
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Abuse
> Sent: Thursday, January 05, 2006 12:19 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Are you using spf records?
>
> ** Reply to message from Martin Forest <martin at forest.gen.nz> on Thu, 05
> Jan
> 2006 19:40:57 +1300
>
>> I have done some minor research with SPF records. It is nice to see
> that
>> several of the big domains such as hotmail, msn, aol etc have started
> to
>> use SPF records.
>
> A lot of good that will do.  I report spam to hotmail and almost all
> replies
> say it did not originate with us.  Well it originated with one of their
> users
> and was sent through one of hotmail's servers.  With an attitude like
> that we
> will never get rid of spam.
>
>
>> Especially as they are often used in forged emails. With
>> them posting spf, it is now possible to block the spam  bots that use
>
>> their "from addresses".
>
> Any program that uses the FROM address to filter spam (or anything for
> that
> matter) should be deleted from your system.  It does not work, it can
> never
> work, so why use it?
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own  
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:  
> http://www.dshield.org/mailman/listinfo/list



-- 
If you take copy protection too far, the only customers you will have are  
the ones that intend to sell illegal copies of your work. By: Martin Forest
Warning: DRM/BMG protected CD’s are likely to infect you with a Rootkit.



More information about the list mailing list